Blog Spammers and which CAPTCHA, 5 reviewed

CAPTCHA, standing for “Completely Automated Public Turing test to tell Computers and Humans Apart” has been around since 2000, so was already fairly well developed when the bots started targeting blogs, guest books and wiki’s which are the main target of those peddling their commercial junk surfaced a couple of years later.

Over the years I have used many, both as a consumer and as developer, on projects the choice is usually left to me, what’s happened a couple of times is a default installation CMS comes with a CAPTCHA pre-installed to protect forms, normally a comment, contact or registration form, this will work fine for a couple of weeks, then when the bots find the page, it will inundate them with abuse.

Some forms like the talent application on ImageFolio are fairly resistant by design to abuse as they are asking questions which will mean very little to a spammer bot, the page name “become_a_model” will mean nothing to them, I have though left a very simple CAPTCHA there in case I need to improve on the feature in the future, and it won’t be too much of a shock to clients.

Quite often the CAPTCHA systems need to be tightened up on by increasing complexity, if it’s still not doing its job, replace it, I wish that wasn’t the case, but the bot developers are well funded, and the abuse must continue, the sales of backlinks on fiverr.com with prices as low as 1500 for $5 have to be fulfilled somehow.

My biggest problem with these spammers these days is not the actual spam, on blog installations it’s the sheer number of fake accounts they create, the actual spam is caught by a spam filter, but the abusers insistence on creating accounts even though I often allow commenting on sites without the need to log in, anonymous commenting.

Anyway, here’s a short write up on a few CAPTCHA’s I’m using on WordPress.

The criteria I will measure them by, are number of false positives (people miss-entering) compared to ability of spammers circumventing (spam comments or accounts).

BotDetect, they have a very wide variety of platforms supported, with free and paid options, the users of their library are impressive including many international Government departments. I haven’t opted yet for the paid version, the only advantage would be the removal of the branding which clients have not complained about. Classic fairly simple to read distorted text puzzle, I am guessing what gives it the edge on others are the changing backgrounds that challenge the Bots.

Setup is not simple, requiring not just the installation using WordPress’s add plugin feature, but also the need to upload the libraries to the wp-content folder and move to another directory. But once it’s there, it’s very simple with options to protect Login, Comments, User Registration and Lost Passwords, and the expected control of character numbers and CAPTCHA size. There is also an option to disable audio, I would suggest this is removed, I can’t think of an instance where you would want to exclude the visually impaired. Support for feedback and contact forms is missing, but I am told by the developer they are working on this feature now.

SweetCaptcha, most CMS platforms supported, single free no strings offering, not the normal distorted text, but a drag and drop puzzle to solve, I have heard of some problems on certain devices when completing the puzzle, but have not seen the evidence and was unable to replicate, even my normally fussy “noscript” Firefox and antique Windows phone were happy with it, a unique fun design with some amusing themes which you can switch between, can be applied to any input form on a CMS from what I can tell. I have not seen a bot able to solve the puzzle, but I have seen a lot of users get it wrong first and second time, I have no idea why, maybe a language thing, in this case this case maybe I don’t know what Victors favorite colour is? I’d suggest they research their puzzles a bit more and add an audio option, which I think is essential and is noticeably missing.

UPDATE 9th June 2015: SweetCaptcha has been serving malware via their script, I am sorry to have recommended them, use at your own risk.

reCAPTCHA, made and used by google, offered for free and fully open source, it’s bundled in a number of plugins for WordPress but not as a plugin itself, fairly easy to use only needing the input of a API key to get going after installing whatever plugin it came bundled with. I believe for a long time this was the best available, I have seen bots bypass it, and quite quickly the developers improved it. But again, people do have a lot of problems reading the distorted text, to the point of giving up on them and resorting to the audio when they obviously have good eyesight. There is a variety of options, but not on puzzle strength, layout of the widget and colour / style options available. There is a large community of developers integrating reCAPTCHA into systems, which is both the reason abusers occasionally circumvent it and updates to code are quickly developed.

Captcha by BestWeb, available stand alone, free and paid and bundled with many of Best Web Soft’s other popular plugins, which are all very simple to use, it’s simple mathematical challenges personally I find easier than any other, nearly second nature, I think the bots unless the text numbers are enabled (one, two..) don’t see this CAPTCHA as much of a challenge, I have tested this on some heavily targeted sites and it was next to useless in stopping the 100+ fake signups a day they were suffering. That said, many people seem happy with it. The fact that it is bundled with so many other plugins leaves me a little surprised that they haven’t improved on it.

SI CAPTCHA, I won’t go into too much details, for a long time it was good at what it did, stopping spam and their associated accounts, traditional distorted text, more readable (to me anyway) than most with few fails. Easy to install but does little to stop abuse now, I did hear that maybe spammers had found another way of bypassing the puzzle, not actually solving it, maybe even looking for forms that use this CAPTCHA solution, I’ve been unable to find a link to that discussion now, so can’t be certain, will update if I find it.

Asirra, An interesting open source project sponsored by Microsoft that I watched develop for a few years, that leveraged humans unique ability and enjoyment of separating pictures of kittens and puppies, sadly after many attempts at bringing it to the masses Assira’s potential doesn’t seem to have been realized. I am sure themed versions would be very popular if they were applied to the subject matter of the site, say male and female models for a model agency.

Summary

For me, at the moment BotDetect, although still in beta has the lowest false positive (people miss-entering) compared to spammers able to abuse, very suitable for high volume traffic sites, anxiously waiting on their contact form support. For a light traffic site that is not being targeted that can get away with the unique look you should go for SweetCaptcha and any that can’t sorry I can’t really recommend one. Of course you maybe forced to use the solution supplied with your plugin (contact forms etc.), or may be you should choose your plugin based on the CAPTCHA they employ.

Keep in mind that the developers maybe fixing any shortcomings I have mentioned whilst I type, or that I am praising a solution that could be circumvented tomorrow, read the current reviews, and be prepared to switch out, maybe very quickly, which may not be so easy if they are tied to another plugin you are dependent on. Feedback on this article very welcome, of course not by spammers.